Cybersecurity Risk Management: A Must For All Businesses

Recently, Golden State Bridge, Inc. was attacked by spyware designed to steal the construction company’s banking credentials. Within hours, hackers created fraudulent payroll transactions totaling more than $750,000. Fortunately, Golden State Bridge’s security team caught the breaches early and prevented much of the loss. In addition, the company’s cybersecurity insurance coverage compensated it for losses that it was not able to prevent.

Many other businesses have not been as prepared and lucky. The Computer Security Institute of New York recently found that companies lost an average of $234,000 per breach in 2009, and cyberattacks are increasing drastically. Also, the Carnegie Mellon CyLab reported in 2010 that about 65% of all businesses, including some Fortune 500 companies, have ineffective or outdated cybersecurity policies. And, as we discussed previously, on-line financial theft is not the only concern. Regulations require high-level protection for some non-financial data.

The severity of the threat of cyberattacks is recognized by the U.S. government. President Obama recently said, “America’s economic prosperity in the 21st century will depend on cybersecurity.” In 2010, a number of related bills were introduced that are predicted to be among Congress’s top priorities for the 2011 session. They address the establishment of a National Center for Cybersecurity and Communications; mandatory annual reporting by the President on cybersecurity risk management; government intervention for catastrophic cyberattacks; and coordinated government/private insurer efforts to create affordable insurance to cover cybersecurity risks for businesses.

Business owners need to protect their valuable assets and guard against liability by testing and updating cybersecurity systems; considering cybersecurity insurance options; and educating employees on potential cyber-risks. To begin, businesses could review the Department of Homeland Security’s “Cybersecurity Resources,” which provides references for training, legal updates, and other information useful in defending against cyber attacks. Failure to take preventive action could result in catastrophic losses from which a company may never recover.